Investigation: Launch of the Ukrainian Government’s Electronic Asset Declaration System

On August 15, the National Agency on Corruption Prevention of Ukraine launched an online asset declaration system to facilitate the transparent reporting of hundreds of thousands of Ukrainian officials of their income. However, this e-declaration system was launched after it was refused as safe and deemed noncompliant with the law. The potential consequences of this event include both reputational loss and political fallout. This is not a matter to tread lightly upon. Thus, we at the Maidan Monitoring Information Center have performed an extensive investigation and a detailed analysis of the e-launch. Here we provide some brief summary points of our findings and our initial informed conclusions.

Summary of findings

The software for the collecting, processing and publication of the electronic declarations of assets of public servants of Ukraine was developed after a yearlong, non-transparent process.

This software contains at least three vulnerabilities which are mentioned in the well known OWASP top 10 vulnerabiliries list: Top 10 2013-A2-Broken Authentication and Session Management, Top 10 2013-A5-Security Misconfiguration, Top 10 2013-A10-Unvalidated Redirects and Forwards. This list is a de facto industrial standard. The requirement to comply with this standard is a part of an abovementioned RFP. These vulnerabilities were detected and documented by volunteer IT specialists via testing of the publicly available web interface without any special penetration test to be done.

The Ministry of Justice of Ukraine, which had originally ordered the system, did not take part in system evaluation and approval process.

The National Agency on Corruption Prevention accepted the system and made it public on August 15, 2016. Contradictory to some media reports and statements of officials no system notices indicate that it worked in test mode. Over nine days the system was public and allowed any user to experience its faults and vulnerabilities. We have documented these in detail. August 23, 2016 the system was taken offline after a public appeal made by the Prime Minister of Ukraine.

Further system development is now being performed by the State Service for Special Communication and Information Protection of Ukraine.

Conclusions

If the system had functioned in an official release it would have been producing documents no court would accept as valid.

The enormous amount of personal data the system collects outnumbers all Ukrainian state registrars and includes third person data, including family members, co-owners, employers, etc. This personal data is not protected and could be obtained easily by third persons.

The question of who is blocking corruption prevention in Ukraine remains unanswered. We continue to research the history of the system development and funding, preparation and adoption of the related legislation. However, it is clear at this juncture that the only institution not guilty in the Electronic Asset Declaration System failure is the State Service for Special Communication and Information Protection of Ukraine.